Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.5.13
-
None
-
None
Description
NPE is thrown by SecureASTCustomizer in this scenario:
SecureASTCustomizer customizer = new SecureASTCustomizer(); List<String> list = new ArrayList<>(); list.add("java.lang.*"); customizer.setAllowedStarImports(list); customizer.setIndirectImportCheckEnabled(true); CompilerConfiguration conf = new CompilerConfiguration(); conf.addCompilationCustomizers(customizer); GroovyShell shell = new GroovyShell(conf); shell.evaluate("def obj = new Object(); def method = \"hashcode\"; obj.\"${method}\"()");
This happens only with setIndirectImportCheckEnabled(true)
and object methods being invoked by obj."${method}"();
The stacktrace is:
Caused by: java.lang.NullPointerExceptionCaused by: java.lang.NullPointerException at org.codehaus.groovy.control.customizers.SecureASTCustomizer.assertStaticImportIsAllowed(SecureASTCustomizer.java:967) at org.codehaus.groovy.control.customizers.SecureASTCustomizer.access$900(SecureASTCustomizer.java:184) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.assertExpressionAuthorized(SecureASTCustomizer.java:1043) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitMethodCallExpression(SecureASTCustomizer.java:1197) at org.codehaus.groovy.ast.expr.MethodCallExpression.visit(MethodCallExpression.java:68) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitExpressionStatement(SecureASTCustomizer.java:1123) at org.codehaus.groovy.ast.stmt.ExpressionStatement.visit(ExpressionStatement.java:40) at org.codehaus.groovy.control.customizers.SecureASTCustomizer$SecuringCodeVisitor.visitBlockStatement(SecureASTCustomizer.java:1083) at org.codehaus.groovy.ast.stmt.BlockStatement.visit(BlockStatement.java:69) at org.codehaus.groovy.control.customizers.SecureASTCustomizer.call(SecureASTCustomizer.java:893) at org.codehaus.groovy.control.CompilationUnit.applyToPrimaryClassNodes(CompilationUnit.java:1084) ... 88 more